Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trouble removing fake System Restore (and Trojan Killer)


  • This topic is locked This topic is locked
24 replies to this topic

#1 l30nard0

l30nard0

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 24 February 2013 - 11:09 AM

Hi all and thanks in advance for any help I might receive. My PC recently became infected with a fake System Restore (the actual malware had this look  http://www.2-viruses.com/wp-content/uploads/2011/10/SystemRestore.GUI_.png.) 

 

I have tried a few things. To begin with I attempted to remove the file by following the instructions here  http://www.bleepingcomputer.com/virus-removal/remove-system-restore however I got no further than trying to install Malwarebytes Anti-Malware. On installing I get a "Setup Access Denied" message followed by "Setup was not completed. Please correct the problem and run Setup again".

 

Now in my desperation to get this to work I searched online for other potential solutions and stumbled across what appeared to be a genuine site (but which I am now convinced is the actual source of the problem). I downloaded Trojan-Killer (this is the fake anti-malware program http://trojan-killer.net/modified-version-system-restore-virus-delete/ ), installed it and had it scan my computer for over an hour. In the end it found many problems and only offered to fix them after I had purchased a licence. This is when I realised I had fallen into their trap. I did not purchase the licence and instead looked online to see if I could install Malwarebytes. I have been unable to fully install Malwarebytes. I managed to install Spybot SD but this hasn't solved the problem either.

 

All my files are currently missing (hidden I hope) and I am unable to access the task manager or the normal windows uninstall programs. I no longer get those System Restore messages (most likely because I installed the actual fake antimalware) and I can use the internet using links in USB flash drives etc. 

 

Any help would be very much appreciated. If you need any information please let me know. I will not attempt any more "fixes" myself. 

 

Here is the DDS log

------------------------------------

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 1.6.0_26
Run by Administrador at 15:48:10 on 2013-02-24
Microsoft Windows XP Professional  5.1.2600.3.1252.34.3082.18.1535.1277 [GMT 0:00]
.
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\archivos de programa\spybot - search & destroy 2\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\archivos de programa\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype add-on for Internet Explorer: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\archivos de programa\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [StartCCC] "c:\archivos de programa\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [NodLogin] "c:\archivos de programa\eset\eset smart security\nodlogin.exe" /o
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\archivos de programa\logitech\video\ISStart.exe 
mRun: [LogitechVideoTray] c:\archivos de programa\logitech\video\LogiTray.exe
mRun: [Eraser] "c:\archiv~1\eraser\Eraser.exe" --atRestart
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"
mRun: [GrooveMonitor] "c:\archivos de programa\microsoft office\office12\GrooveMonitor.exe"
mRun: [OneTouch Monitor] "c:\archivos de programa\xerox one touch\OneTouchMon.exe"
mRun: [SunJavaUpdateSched] "c:\archivos de programa\archivos comunes\java\java update\jusched.exe"
mRun: [SDTray] "c:\archivos de programa\spybot - search & destroy 2\SDTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\archivos de programa\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\archivos de programa\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\archivos de programa\spybot - search & destroy 2\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://codigopostal.correos.cl/correos_cp/soporte_web/consulta_web/versionphp2006/pagina_interior/codigo_postal/consulta_web/cab_mapg/mgaxctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233083407109
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233083483796
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\archivos de programa\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\archivos de programa\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\archivos de programa\archivos comunes\skype\Skype4COM.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\archivos de programa\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - 
.
============= SERVICES / DRIVERS ===============
.
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\archivos de programa\spybot - search & destroy 2\SDFSSvc.exe [2013-2-22 1103392]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\archivos de programa\spybot - search & destroy 2\SDUpdSvc.exe [2013-2-22 1369624]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\archivos de programa\spybot - search & destroy 2\SDWSCSvc.exe [2013-2-22 168384]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2009-8-21 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2009-8-21 3072]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-3-19 13224]
S3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\drivers\gtkdrv.sys [2012-1-4 16128]
.
=============== File Associations ===============
.
ShellExec: QSync.exe: Open="c:\archivos de programa\logitech\video\QSync.exe"
.
=============== Created Last 30 ================
.
2013-02-24 12:16:28    --------    d-----w-    c:\windows\system32\NtmsData
2013-02-22 21:38:43    --------    d-----w-    c:\documents and settings\all users\datos de programa\Spybot - Search & Destroy
2013-02-22 21:37:49    15224    ----a-w-    c:\windows\system32\sdnclean.exe
2013-02-22 21:37:41    --------    d-----w-    c:\archivos de programa\Spybot - Search & Destroy 2
2013-02-22 21:09:39    --------    d-----w-    c:\archivos de programa\ESET
2013-02-22 20:04:51    --------    d-----w-    c:\archivos de programa\GridinSoft Trojan Killer
2013-02-22 19:52:32    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-02-21 20:05:02    294912    ---ha-w-    c:\documents and settings\all users\datos de programa\ODJvPpaotTb.exe
.
==================== Find3M  ====================
.
2012-12-14 16:49:28    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2006-10-28 06:30:48    463152    -c-ha-w-    c:\archivos de programa\setup.exe
.
============= FINISH: 15:49:01.46 ===============
 

 

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:06 PM

Posted 24 February 2013 - 01:20 PM


Hello l30nard0

Welcome to The Forums!!

Around here they call me Gringo and I'll be glad to help you with your malware problems.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-
  • Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller or from here
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
  • Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 l30nard0

l30nard0
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 25 February 2013 - 06:43 PM

Hi Gringo, thank you very much for your help. I tried all the above steps. Note that as a precaution I unplugged my internet/network cable from the computer (not sure if this is necessary). I have been transferring all the programs with the help of a USB flash drive. 

 

I was able to run all the applications as requested. When I finished running the RougeKiller scan, it opened firefox browers with this link http://tigzyrk.blogspot.co.uk/2011/09/rootkit-zeroaccess-max.html

 

I made a note of this and looked it up on my laptop. I then closed out the browser and continued with deleting. Again once this was done it reopened the browser with the same link (not sure if this is relevant).

 

Following this I have noticed that my recycle bin in back in the desktop. When I restore an old txt document from the recycle bin to my desktop they disappear from the recycle bin but do not reappear in my desktop. I have also noticed whereas before when I clicked on the start menu all I would see was the switch off/log off options now I can see the control panel and my documents as well as run (I still cannot find my files). However the list of recently used programs remains blank (except for the Trojan Killer) and when clicking on "all programs" it only displays what I have been able to download (the malware "GridingSoft Trojan Killer"  and SpyBot SD). I am now also able to bring up the task manager which I wasn't able to do before (I haven't done anything with the task manager, I merely opened it and closed it). I can best describe my computer by saying that I still feel "locked out" without access to my files and settings. However it does seem more responsive than before, and it's encouraging to be able to bring up the task manager, and to see the recycle bin back in the desktop.

 

(My computer is in Spanish and the second program AdwCleaner returned an output in Spanish. "Fichero" = file, "suprimido" = deleted, "El registro no contiene ninguna entrada ilegítima" = the registry (?) does not contain any illegal entries)

 

Once again thanks for your help.

 

 

-Security Check-

 

 

 Results of screen317's Security Check version 0.99.59  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Security Center service is not running! This report may not be accurate!
 WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy 
 Malwarebytes Anti-Malware version 1.65.0.1400  
 Java™ 6 Update 26  
 Java version out of Date!
 Adobe Flash Player 10 Flash Player out of Date!
  Adobe Flash Player     10.1.53.64 Flash Player out of Date!
 Adobe Reader 9 Adobe Reader out of Date!
 Mozilla Firefox (3.6.23) Firefox out of Date!
````````Process Check: objlist.exe by Laurent````````
 Spybot Teatimer.exe is disabled!
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 31% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 
 
-AdwCleaner-

 

 

# AdwCleaner v2.113 - Fichero creado el 25/02/2013 a 22:47:21
# Actualizado el 23/02/2013 por Xplode
# Sistema operativo : Microsoft Windows XP Service Pack 3 (32 bits)
# Usuario : Leonardo - LEOPC
# Modo de inicio : Normal
# Ejecutado desde : C:\Documents and Settings\Leonardo\Escritorio\adwcleaner.exe
# Opción [Supresión]
 
 
***** [Servicios] *****
 
 
***** [Ficheros / Carpetas] *****
 
Fichero Suprimido : C:\Archivos de programa\Mozilla Firefox\.autoreg
 
***** [Registro] *****
 
 
***** [Navegadores] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
[OK] El registro no contiene ninguna entrada ilegítima.
 
-\\ Mozilla Firefox v3.6.23 (en-GB)
 
Fichero : C:\Documents and Settings\Leonardo\Datos de programa\Mozilla\Firefox\Profiles\zrwf3rwd.default\prefs.js
 
[OK] El fichero no contiene ninguna entrada ilegítima.
 
-\\ Google Chrome v24.0.1312.57
 
Fichero : C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\Google\Chrome\User Data\Default\Preferences
 
[OK] El fichero no contiene ninguna entrada ilegítima.
 
*************************
 
AdwCleaner[S1].txt - [1098 octets] - [25/02/2013 22:47:21]
 
########## EOF - C:\AdwCleaner[S1].txt - [1158 octets] ##########
 

-RougeKiller 1-

 

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Leonardo [Admin rights]
Mode : Scan -- Date : 02/25/2013 22:55:56
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 22 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (1) -> FOUND
[HJ] HKCU\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKCU\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKCU\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\{413a93c7-c23e-fd94-61d0-665aa1f21ed0}\n.) [x] -> FOUND
 
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\{413a93c7-c23e-fd94-61d0-665aa1f21ed0}\@ [-] --> FOUND
[ZeroAccess][FOLDER] U : C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\{413a93c7-c23e-fd94-61d0-665aa1f21ed0}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\{413a93c7-c23e-fd94-61d0-665aa1f21ed0}\L --> FOUND
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ Infection : ZeroAccess ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST380215A +++++
--- User ---
[MBR] 11df2425092cfeec6806b8ba7b51b81a
[BSP] 292719160853ca9abe8de041d39ebcfa : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 19069 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 39054960 | Size: 57246 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[1]_S_02252013_02d2255.txt >>
RKreport[1]_S_02252013_02d2255.txt
 
-RougeKiller 2-
 

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Leonardo [Admin rights]
Mode : Remove -- Date : 02/25/2013 22:59:22
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 22 ¤¤¤
[HJPOL] HKCU\[...]\System : DisableTaskMgr (1) -> DELETED
[HJ] HKCU\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKCU\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[HJ] HKCU\[...]\Security Center : UpdatesDisableNotify (1) -> REPLACED (0)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSearch (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 :  (C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\{413a93c7-c23e-fd94-61d0-665aa1f21ed0}\n.) [x] -> REPLACED (C:\WINDOWS\system32\shell32.dll)
 
¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\{413a93c7-c23e-fd94-61d0-665aa1f21ed0}\@ [-] --> REMOVED
[Del.Parent][FILE] 00000001.@ : C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\{413a93c7-c23e-fd94-61d0-665aa1f21ed0}\U\00000001.@ [-] --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\{413a93c7-c23e-fd94-61d0-665aa1f21ed0}\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\{413a93c7-c23e-fd94-61d0-665aa1f21ed0}\L --> REMOVED
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ Infection : ZeroAccess ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
 
127.0.0.1       localhost
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: ST380215A +++++
--- User ---
[MBR] 11df2425092cfeec6806b8ba7b51b81a
[BSP] 292719160853ca9abe8de041d39ebcfa : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 19069 Mo
1 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 39054960 | Size: 57246 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[2]_D_02252013_02d2259.txt >>
RKreport[1]_S_02252013_02d2255.txt ; RKreport[2]_D_02252013_02d2259.txt
 
 
 
 
 


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:06 PM

Posted 25 February 2013 - 09:51 PM


Hello l30nard0

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

  • Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 l30nard0

l30nard0
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 26 February 2013 - 06:26 PM

Hello Gringo

 

I followed your instructions as closely as I could and it seems to have worked :bananas: !! Thank you very much.

 

I didn't know if Windows firewall was active - it turns out that it wasn't as I couldn't even access it. Likewise I didn't know if malwarebytes was working in the background or not. Again the virus must have disabled it as I couldn't access it. I used the taskmanager to kill all non-essential processes (the scanner and some updaters) before running Combofix. I did have to download the Recovery Console and install it. Whist running near the end the default screen saver took over and I had to "log back in".

 

I can now see all my shortcuts and files. I have opened a few PDFs and Chrome browser to post here. I probably need to back up all my data and update all the software that I currently use (I'll have a look elsewhere in the forum or look at any links you might want to suggest). I don't want to use my desktop computer much in case there is still some work/cleaning left to do.

 

One thing that I have noticed is that in the taskbar there is an icon for "System Repair" (this is what the original virus was called - and so haven't touched this)

 

I am also aware that I need to remove what I am convinced is part of the virus - Trojan Killer. Will removing using control panel -> add/remove programs be enough or will it require something else?

 

Once again thank you very much for all your help. Here is the log

 

- Combofix-

 

 

 

ComboFix 13-02-26.01 - Leonardo 26/02/2013  22:14:04.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.34.3082.18.1535.1116 [GMT 0:00]
Running from: c:\documents and settings\Leonardo\Escritorio\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\archivos de programa\WinRAR\setup.s
c:\documents and settings\All Users\Datos de programa\ODJvPpaotTb
c:\documents and settings\All Users\Datos de programa\ODJvPpaotTb.exe
c:\documents and settings\All Users\Datos de programa\tmp17.tmp
c:\documents and settings\All Users\Datos de programa\tmp46.tmp
c:\documents and settings\All Users\Datos de programa\tmp8.tmp
c:\documents and settings\All Users\Datos de programa\tmpB.tmp
c:\documents and settings\All Users\Datos de programa\tmpF.tmp
c:\documents and settings\Leonardo\Datos de programa\daweca.dll
c:\documents and settings\Leonardo\Datos de programa\nesht.dll
c:\documents and settings\Leonardo\WINDOWS
c:\windows\system32\SET314.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-26 to 2013-02-26  )))))))))))))))))))))))))))))))
.
.
2013-02-25 22:54 . 2013-02-25 22:54    15616    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2013-02-24 12:16 . 2013-02-24 12:24    --------    d-----w-    c:\windows\system32\NtmsData
2013-02-22 21:38 . 2013-02-22 23:18    --------    d-----w-    c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy
2013-02-22 21:37 . 2009-01-25 12:14    15224    ----a-w-    c:\windows\system32\sdnclean.exe
2013-02-22 21:37 . 2013-02-22 21:38    --------    d-----w-    c:\archivos de programa\Spybot - Search & Destroy 2
2013-02-22 21:09 . 2013-02-22 21:09    --------    d-----w-    c:\archivos de programa\ESET
2013-02-22 20:04 . 2013-02-24 14:04    --------    d-----w-    c:\archivos de programa\GridinSoft Trojan Killer
2013-02-22 19:52 . 2013-02-22 22:58    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-02-22 19:31 . 2013-02-22 19:31    --------    d-----w-    c:\documents and settings\Administrador
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-14 16:49 . 2012-06-05 20:43    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2006-10-28 06:30 . 2010-06-13 23:31    463152    -c-ha-w-    c:\archivos de programa\setup.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\archivos de programa\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\archivos de programa\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\archivos de programa\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Eraser"="c:\archiv~1\Eraser\Eraser.exe" [2009-12-15 976784]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"GrooveMonitor"="c:\archivos de programa\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"OneTouch Monitor"="c:\archivos de programa\Xerox One Touch\OneTouchMon.exe" [2003-06-12 86016]
"SunJavaUpdateSched"="c:\archivos de programa\Archivos comunes\Java\Java Update\jusched.exe" [2011-04-08 254696]
"SDTray"="c:\archivos de programa\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Leonardo\Menú Inicio\Programas\Inicio\
MagicDisc.lnk - c:\archivos de programa\MagicDisc\MagicDisc.exe [2010-6-13 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Archivos de programa\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Archivos de programa\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Archivos de programa\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Archivos de programa\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\archivos de programa\Spybot - Search & Destroy 2\SDFSSvc.exe [22/02/2013 21:37 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\archivos de programa\Spybot - Search & Destroy 2\SDUpdSvc.exe [22/02/2013 21:37 1369624]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\archivos de programa\Spybot - Search & Destroy 2\SDWSCSvc.exe [22/02/2013 21:37 168384]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [21/08/2009 19:28 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [21/08/2009 19:28 3072]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [19/03/2009 19:18 13224]
S3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\drivers\gtkdrv.sys [04/01/2012 14:28 16128]
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-26 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\archivos de programa\Spybot - Search & Destroy 2\SDUpdate.exe [2013-02-22 14:08]
.
2013-02-22 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\archivos de programa\Spybot - Search & Destroy 2\SDImmunize.exe [2013-02-22 14:07]
.
2013-02-22 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\archivos de programa\Spybot - Search & Destroy 2\SDScan.exe [2013-02-22 14:07]
.
2013-02-26 c:\windows\Tasks\User_Feed_Synchronization-{3B662D6E-2163-4EB8-9F83-12FCC1DF4732}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Leonardo\Datos de programa\Mozilla\Firefox\Profiles\zrwf3rwd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\archivos de programa\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\archivos de programa\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-NodLogin - c:\archivos de programa\ESET\ESET Smart Security\nodlogin.exe
Notify-SDWinLogon - SDWinLogon.dll
SafeBoot-10958256.sys
AddRemove-Update Service - c:\archivos de programa\Sony Ericsson\Update Service\uninst.exe
AddRemove-Smart Fortress 2012 - c:\documents and settings\All Users\Datos de programa\529C536900266C04000069E7D151FC4E\529C536900266C04000069E7D151FC4E.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-26 22:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(680)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2013-02-26  22:31:37
ComboFix-quarantined-files.txt  2013-02-26 22:31
.
Pre-Run: 2,600,992,768 bytes libres
Post-Run: 2,775,269,376 bytes libres
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 96453AE04D2C31C98E524C5CA64DF9E2
 

 

 



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:06 PM

Posted 26 February 2013 - 08:59 PM


Hello l30nard0

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:
 ClearJavaCache:: 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
      • let me know of any problems you may have had
        • How is the computer doing now after running the script?
      Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 l30nard0

l30nard0
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 27 February 2013 - 06:34 PM

Hello Gringo

 

I didn't encounter any problems running the script. It didn't restart, or display the error message "illegal operation attempted..." Before running the script I did not close out all the security software like I did yesterday when running Combofix. However this doesn't appear to have been a problem.

 

The computer is now almost back to normal except for the icons for Trojan Killer and System Repair. They appear on my desktop and the startup menu. The Trojan Killer is also listed when I open Windows Add/Remove programs. I tested my computer by browsing the Internet including Youtube, working with Word and Excel and printing. It did everything as expected. 

 

One odd thing. There is a large space in the taskbar and the unknown icon shown below. When I hover over it displays System Repair System Repair 

 

 Attached File  Taskbar2.JPG   3.14KB   1 downloads

 

and when I open the folder in 

 

C:\Documents and Settings\Leonardo\Datos de programa\Microsoft\Internet Explorer\Quick Launch

 

I see the following item which was not there before

 

Attached File  Taskbar_shortcut.JPG   10.56KB   1 downloads

 

Other than that the computer seems fine. I still need to update windows (there were about 30 security updates). Thank you very much for your help. If there is anything else that I need to do, please let me know. 

 

l30nard0

 

-CFScript-

 

ComboFix 13-02-26.01 - Leonardo 27/02/2013  22:03:57.2.1 - x86

Microsoft Windows XP Professional  5.1.2600.3.1252.34.3082.18.1535.1013 [GMT 0:00]
Running from: c:\documents and settings\Leonardo\Escritorio\ComboFix.exe
Command switches used :: c:\documents and settings\Leonardo\Escritorio\CFScript.txt
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-27 to 2013-02-27  )))))))))))))))))))))))))))))))
.
.
2013-02-27 21:20 . 2013-02-27 21:20    --------    d-----w-    c:\windows\LastGood
2013-02-25 22:54 . 2013-02-25 22:54    15616    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2013-02-24 12:16 . 2013-02-24 12:24    --------    d-----w-    c:\windows\system32\NtmsData
2013-02-22 21:38 . 2013-02-22 23:18    --------    d-----w-    c:\documents and settings\All Users\Datos de programa\Spybot - Search & Destroy
2013-02-22 21:37 . 2009-01-25 12:14    15224    ----a-w-    c:\windows\system32\sdnclean.exe
2013-02-22 21:37 . 2013-02-22 21:38    --------    d-----w-    c:\archivos de programa\Spybot - Search & Destroy 2
2013-02-22 21:09 . 2013-02-22 21:09    --------    d-----w-    c:\archivos de programa\ESET
2013-02-22 20:04 . 2013-02-24 14:04    --------    d-----w-    c:\archivos de programa\GridinSoft Trojan Killer
2013-02-22 19:52 . 2013-02-22 22:58    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-02-22 19:31 . 2013-02-22 19:31    --------    d-----w-    c:\documents and settings\Administrador
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-12-14 16:49 . 2012-06-05 20:43    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2006-10-28 06:30 . 2010-06-13 23:31    463152    -c--a-w-    c:\archivos de programa\setup.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\archivos de programa\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\archivos de programa\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\archivos de programa\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"Eraser"="c:\archiv~1\Eraser\Eraser.exe" [2009-12-15 976784]
"Adobe Reader Speed Launcher"="c:\archivos de programa\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"GrooveMonitor"="c:\archivos de programa\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"OneTouch Monitor"="c:\archivos de programa\Xerox One Touch\OneTouchMon.exe" [2003-06-12 86016]
"SunJavaUpdateSched"="c:\archivos de programa\Archivos comunes\Java\Java Update\jusched.exe" [2011-04-08 254696]
"SDTray"="c:\archivos de programa\Spybot - Search & Destroy 2\SDTray.exe" [2012-11-13 3825176]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Leonardo\Menú Inicio\Programas\Inicio\
MagicDisc.lnk - c:\archivos de programa\MagicDisc\MagicDisc.exe [2010-6-13 576000]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Archivos de programa\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Archivos de programa\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Archivos de programa\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Archivos de programa\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\archivos de programa\Spybot - Search & Destroy 2\SDFSSvc.exe [22/02/2013 21:37 1103392]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\archivos de programa\Spybot - Search & Destroy 2\SDUpdSvc.exe [22/02/2013 21:37 1369624]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\archivos de programa\Spybot - Search & Destroy 2\SDWSCSvc.exe [22/02/2013 21:37 168384]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [21/08/2009 19:28 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [21/08/2009 19:28 3072]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [19/03/2009 19:18 13224]
S3 TrojanKillerDriver;GridinSoft Trojan Killer Driver;c:\windows\system32\drivers\gtkdrv.sys [04/01/2012 14:28 16128]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - BITS
*NewlyCreated* - WS2IFSL
*NewlyCreated* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-27 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\archivos de programa\Spybot - Search & Destroy 2\SDUpdate.exe [2013-02-22 14:08]
.
2013-02-22 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\archivos de programa\Spybot - Search & Destroy 2\SDImmunize.exe [2013-02-22 14:07]
.
2013-02-22 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\archivos de programa\Spybot - Search & Destroy 2\SDScan.exe [2013-02-22 14:07]
.
2013-02-27 c:\windows\Tasks\User_Feed_Synchronization-{3B662D6E-2163-4EB8-9F83-12FCC1DF4732}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\archiv~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Leonardo\Datos de programa\Mozilla\Firefox\Profiles\zrwf3rwd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\archivos de programa\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\archivos de programa\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\archivos de programa\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-27 22:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(676)
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'explorer.exe'(1120)
c:\windows\system32\WININET.dll
c:\archivos de programa\Windows Media Player\wmpband.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-02-27  22:12:45
ComboFix-quarantined-files.txt  2013-02-27 22:12
ComboFix2.txt  2013-02-26 22:31
.
Pre-Run: 2,474,389,504 bytes libres
Post-Run: 2,505,039,872 bytes libres
.
- - End Of File - - 15A1E1F117FB8DD080B164520889296F
 

 

 



#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:06 PM

Posted 27 February 2013 - 09:44 PM


Hello l30nard0

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened and the that I need posted back here
    • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
  • Please post the contents of OTL.txt in your next reply.
  • Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 l30nard0

l30nard0
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 28 February 2013 - 06:12 PM

Hello Gringo

 

Shortly after starting my computer today I got a pop-up about sending an error message to Windows for analysis. I wanted to obtain the actual error message so you could see it but by mistake clicked on send later (hopefully next time I'll be able to see the error message and save it down in case it's useful).

 

I ran OTL as instructed, and didn't experience any problems. Below is the report. I look forward to your reply and will try to carry out whatever instruction you ask (but I might not be able to do it this weekend - although I will definitely try). Thanks again for all your kind help.

 

l30nard0

 

-OLT-

 

 

OTL logfile created on: 28/02/2013 22:41:12 - Run 1
OTL by OldTimer - Version 3.2.69.0     Folder = C:\Documents and Settings\Leonardo\Escritorio
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: Reino Unido | Language: ENG | Date Format: dd/MM/yyyy
 
1.50 Gb Total Physical Memory | 1.04 Gb Available Physical Memory | 69.09% Memory free
3.35 Gb Paging File | 2.98 Gb Available in Paging File | 88.85% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Archivos de programa
Drive C: | 18.62 Gb Total Space | 1.66 Gb Free Space | 8.94% Space Free | Partition Type: NTFS
Drive D: | 55.90 Gb Total Space | 12.67 Gb Free Space | 22.66% Space Free | Partition Type: NTFS
 
Computer Name: LEOPC | User Name: Leonardo | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
 
========== Processes (SafeList) ==========
 
PRC - C:\Documents and Settings\Leonardo\Escritorio\OTL.exe (OldTimer Tools)
PRC - C:\Archivos de programa\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
PRC - C:\Archivos de programa\Spybot - Search & Destroy 2\SDUpdSvc.exe (Safer-Networking Ltd.)
PRC - C:\Archivos de programa\Spybot - Search & Destroy 2\SDFSSvc.exe (Safer-Networking Ltd.)
PRC - C:\Archivos de programa\Archivos comunes\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
PRC - C:\Archivos de programa\Eraser\Eraser.exe (The Eraser Project)
PRC - C:\Archivos de programa\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\system32\LVCOMSX.EXE (Logitech Inc.)
PRC - C:\Archivos de programa\Logitech\Video\LogiTray.exe (Logitech Inc.)
PRC - C:\Archivos de programa\Logitech\Video\FxSvr2.exe (Logitech Inc.)
PRC - C:\Archivos de programa\Xerox One Touch\OneTouchMon.exe (Visioneer Inc)
 
 
========== Modules (No Company Name) ==========
 
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\e143370f0583abe015d8e3d2d536185e\System.Web.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Core\edbf4e4a55e63b9fbf0b0b40cba13063\System.Core.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\024c898ad1ccfde466d033c0a08d0564\Microsoft.VisualBasic.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\96b7a0136e9e72e8f4eb0230c20766d2\System.Configuration.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\cbee94ec6a0fe649e3b4643cea6e1259\Accessibility.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ba12e418b906593b7c9c18f971f36bf9\System.Windows.Forms.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\7782f356a838c403b4a8e9c80df5a577\System.Drawing.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll ()
MOD - C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll ()
MOD - C:\Archivos de programa\Spybot - Search & Destroy 2\snlFileFormats150.bpl ()
MOD - C:\Archivos de programa\Spybot - Search & Destroy 2\snlThirdParty150.bpl ()
MOD - C:\Archivos de programa\Spybot - Search & Destroy 2\VirtualTreesDXE150.bpl ()
MOD - C:\Archivos de programa\Spybot - Search & Destroy 2\JSDialogPack150.bpl ()
MOD - C:\Archivos de programa\Spybot - Search & Destroy 2\DEC150.bpl ()
MOD - C:\Archivos de programa\Spybot - Search & Destroy 2\sqlite3.dll ()
MOD - C:\WINDOWS\system32\WgaLogon.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCV.Graphics.Wizard\2.0.3111.37135__90ba9c70f846762e\CLI.Aspect.DeviceCV.Graphics.Wizard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Wizard\2.0.3111.37156__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Wizard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Runtime\2.0.3111.36985__90ba9c70f846762e\CLI.Caste.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.InfoCentre.Graphics.Wizard\2.0.3111.37025__90ba9c70f846762e\CLI.Aspect.InfoCentre.Graphics.Wizard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Runtime\2.0.3111.37149__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Wizard\2.0.3111.37017__90ba9c70f846762e\CLI.Caste.Graphics.Wizard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceProperty.Graphics.Runtime\2.0.3111.37101__90ba9c70f846762e\CLI.Aspect.DeviceProperty.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.HotkeysHandling.Graphics.Runtime\2.0.3111.37005__90ba9c70f846762e\CLI.Aspect.HotkeysHandling.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.TransCode.Graphics.Wizard\2.0.3111.37177__90ba9c70f846762e\CLI.Aspect.TransCode.Graphics.Wizard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCV.Graphics.Runtime\2.0.3111.37119__90ba9c70f846762e\CLI.Aspect.DeviceCV.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Welcome.Graphics.Dashboard\2.0.3111.37178__90ba9c70f846762e\CLI.Aspect.Welcome.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.VPURecover.Graphics.Dashboard\2.0.3111.37025__90ba9c70f846762e\CLI.Aspect.VPURecover.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Dashboard\2.0.3111.36998__90ba9c70f846762e\CLI.Caste.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.VPURecover.Graphics.Runtime\2.0.3111.37024__90ba9c70f846762e\CLI.Aspect.VPURecover.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.OverDrive5.Graphics.Dashboard\2.0.3111.37196__90ba9c70f846762e\CLI.Aspect.OverDrive5.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Dashboard\2.0.3111.37127__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Wizard\2.0.3111.37128__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Wizard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.OverDrive5.Graphics.Runtime\2.0.3111.37196__90ba9c70f846762e\CLI.Aspect.OverDrive5.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Runtime\2.0.3111.37127__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.SmartGart.Graphics.Runtime\2.0.3111.37046__90ba9c70f846762e\CLI.Aspect.SmartGart.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Dashboard\2.0.3111.37103__90ba9c70f846762e\CLI.Aspect.MMVideo.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysColour2.Graphics.Dashboard\2.0.3111.37026__90ba9c70f846762e\CLI.Aspect.DisplaysColour2.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysManager.Graphics.Dashboard\2.0.3111.37006__90ba9c70f846762e\CLI.Aspect.DisplaysManager.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Wizard\2.0.3111.37141__90ba9c70f846762e\CLI.Aspect.MMVideo.Graphics.Wizard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.InfoCentre.Graphics.Dashboard\2.0.3111.37026__90ba9c70f846762e\CLI.Aspect.InfoCentre.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysOptions.Graphics.Dashboard\2.0.3111.37117__90ba9c70f846762e\CLI.Aspect.DisplaysOptions.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Runtime\2.0.3111.37102__90ba9c70f846762e\CLI.Aspect.MMVideo.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysOptions.Graphics.Runtime\2.0.3111.37117__90ba9c70f846762e\CLI.Aspect.DisplaysOptions.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Dashboard\2.0.3111.37150__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCV.Graphics.Dashboard\2.0.3111.37120__90ba9c70f846762e\CLI.Aspect.DeviceCV.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceDFP.Graphics.Dashboard\2.0.3111.37095__90ba9c70f846762e\CLI.Aspect.DeviceDFP.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCRT.Graphics.Dashboard\2.0.3111.37102__90ba9c70f846762e\CLI.Aspect.DeviceCRT.Graphics.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceDFP.Graphics.Runtime\2.0.3111.37101__90ba9c70f846762e\CLI.Aspect.DeviceDFP.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysColour2.Graphics.Runtime\2.0.3111.37032__90ba9c70f846762e\CLI.Aspect.DisplaysColour2.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCRT.Graphics.Runtime\2.0.3111.37102__90ba9c70f846762e\CLI.Aspect.DeviceCRT.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceLCD.Graphics.Runtime\2.0.3111.37118__90ba9c70f846762e\CLI.Aspect.DeviceLCD.Graphics.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.Hotkeys.Shared\2.0.3092.25949__90ba9c70f846762e\AEM.Plugin.Hotkeys.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\AEM.Actions.CCAA.Shared\2.0.3092.25944__90ba9c70f846762e\AEM.Actions.CCAA.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.WinMessages.Shared\2.0.3092.25956__90ba9c70f846762e\AEM.Plugin.WinMessages.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.GD.Shared\2.0.3092.26016__90ba9c70f846762e\AEM.Plugin.GD.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.EEU.Shared\2.0.3092.25969__90ba9c70f846762e\AEM.Plugin.EEU.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.DPPE.Shared\2.0.3092.26016__90ba9c70f846762e\AEM.Plugin.DPPE.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\atixclib\1.0.0.0__90ba9c70f846762e\atixclib.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation\2.0.3092.25937__90ba9c70f846762e\CLI.Foundation.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Shared\2.0.3092.25951__90ba9c70f846762e\CLI.Caste.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\DEM.Graphics.I0601\2.0.2573.17685__90ba9c70f846762e\DEM.Graphics.I0601.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.TransCode.Graphics.Shared\2.0.3092.26011__90ba9c70f846762e\CLI.Aspect.TransCode.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation\2.0.3092.25934__90ba9c70f846762e\LOG.Foundation.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\NEWAEM.Foundation\2.0.3092.25936__90ba9c70f846762e\NEWAEM.Foundation.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation.XManifest\2.0.3092.26049__90ba9c70f846762e\CLI.Foundation.XManifest.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\DEM.OS.I0602\2.0.3092.25972__90ba9c70f846762e\DEM.OS.I0602.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\DEM.Graphics.I0703\2.0.2651.18802__90ba9c70f846762e\DEM.Graphics.I0703.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard.Shared\2.0.3092.25954__90ba9c70f846762e\CLI.Component.Wizard.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard.Shared\2.0.3092.25948__90ba9c70f846762e\CLI.Component.Dashboard.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Client.Shared\2.0.3092.25944__90ba9c70f846762e\CLI.Component.Client.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.VPURecover.Graphics.Shared\2.0.3092.25983__90ba9c70f846762e\CLI.Aspect.VPURecover.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\MOM.Foundation\2.0.3092.25966__90ba9c70f846762e\MOM.Foundation.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\DEM.OS\2.0.3092.26012__90ba9c70f846762e\DEM.OS.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\DEM.Graphics.I0706\2.0.2743.23304__90ba9c70f846762e\DEM.Graphics.I0706.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\DEM.Graphics\2.0.3092.25972__90ba9c70f846762e\DEM.Graphics.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\DEM.Foundation\2.0.2573.17684__90ba9c70f846762e\DEM.Foundation.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime.Shared\2.0.3092.25950__90ba9c70f846762e\CLI.Component.Runtime.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Wizard.Shared\2.0.3092.25982__90ba9c70f846762e\CLI.Caste.Graphics.Wizard.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Dashboard.Shared\2.0.3092.25973__90ba9c70f846762e\CLI.Caste.Graphics.Dashboard.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceTV.Graphics.Shared\2.0.3092.25994__90ba9c70f846762e\CLI.Aspect.DeviceTV.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.OverDrive5.Graphics.Shared\2.0.3092.26011__90ba9c70f846762e\CLI.Aspect.OverDrive5.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.Radeon3D.Graphics.Shared\2.0.3092.25993__90ba9c70f846762e\CLI.Aspect.Radeon3D.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.MMVideo.Graphics.Shared\2.0.3092.25989__90ba9c70f846762e\CLI.Aspect.MMVideo.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceDFP.Graphics.Shared\2.0.3092.25988__90ba9c70f846762e\CLI.Aspect.DeviceDFP.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCV.Graphics.Shared\2.0.3092.25992__90ba9c70f846762e\CLI.Aspect.DeviceCV.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceProperty.Graphics.Shared\2.0.3092.25966__90ba9c70f846762e\CLI.Aspect.DeviceProperty.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysColour2.Graphics.Shared\2.0.3092.25983__90ba9c70f846762e\CLI.Aspect.DisplaysColour2.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceLCD.Graphics.Shared\2.0.3092.25973__90ba9c70f846762e\CLI.Aspect.DeviceLCD.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.SmartGart.Graphics.Shared\2.0.3092.25984__90ba9c70f846762e\CLI.Aspect.SmartGart.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DisplaysOptions.Graphics.Shared\2.0.3092.25990__90ba9c70f846762e\CLI.Aspect.DisplaysOptions.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.HotkeysHandling.Graphics.Shared\2.0.3092.25973__90ba9c70f846762e\CLI.Aspect.HotkeysHandling.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.DeviceCRT.Graphics.Shared\2.0.3092.25989__90ba9c70f846762e\CLI.Aspect.DeviceCRT.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Aspect.CustomFormats.Graphics.Shared\2.0.3092.25970__90ba9c70f846762e\CLI.Aspect.CustomFormats.Graphics.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\ACE.Graphics.DisplaysManager.Shared\2.0.2573.17685__90ba9c70f846762e\ACE.Graphics.DisplaysManager.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\APM.Foundation\2.0.3092.25968__90ba9c70f846762e\APM.Foundation.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\AEM.Server.Shared\2.0.3092.25949__90ba9c70f846762e\AEM.Server.Shared.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.SkinFactory.resources\2.0.3111.36978_es_90ba9c70f846762e\CLI.Component.SkinFactory.resources.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\AEM.Plugin.Source.Kit.Server\2.0.3111.37188__90ba9c70f846762e\AEM.Plugin.Source.Kit.Server.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\LOCALIZATION.Foundation.Implementation\2.0.3111.37199__90ba9c70f846762e\LOCALIZATION.Foundation.Implementation.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime.Extension.EEU\2.0.3111.36975__90ba9c70f846762e\CLI.Component.Runtime.Extension.EEU.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard\2.0.3111.36992__90ba9c70f846762e\CLI.Component.Dashboard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard\2.0.3111.37011__90ba9c70f846762e\CLI.Component.Wizard.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\MOM.Implementation\2.0.3111.37169__90ba9c70f846762e\MOM.Implementation.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Implementation\2.0.3111.37168__90ba9c70f846762e\LOG.Foundation.Implementation.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.SkinFactory\2.0.3111.36978__90ba9c70f846762e\CLI.Component.SkinFactory.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime\2.0.3111.36977__90ba9c70f846762e\CLI.Component.Runtime.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Runtime.Shared.Private\2.0.3092.25970__90ba9c70f846762e\CLI.Component.Runtime.Shared.Private.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Foundation.Private\2.0.3092.25941__90ba9c70f846762e\CLI.Foundation.Private.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Private\2.0.3092.25946__90ba9c70f846762e\LOG.Foundation.Private.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Wizard.Shared.Private\2.0.3092.25969__90ba9c70f846762e\CLI.Component.Wizard.Shared.Private.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\LOG.Foundation.Implementation.Private\2.0.3092.25969__90ba9c70f846762e\LOG.Foundation.Implementation.Private.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Dashboard.Shared.Private\2.0.3092.25965__90ba9c70f846762e\CLI.Component.Dashboard.Shared.Private.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\LOCALIZATION.Foundation.Private\2.0.3092.25940__90ba9c70f846762e\LOCALIZATION.Foundation.Private.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\AxInterop.WBOCXLib\1.0.0.0__90ba9c70f846762e\AxInterop.WBOCXLib.dll ()
MOD - C:\WINDOWS\assembly\GAC\Interop.WBOCXLib\1.0.0.0__90ba9c70f846762e\Interop.WBOCXLib.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\ATIDEMOS\2.0.3111.36977__90ba9c70f846762e\ATIDEMOS.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\APM.Server\2.0.3111.36976__90ba9c70f846762e\APM.Server.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\AEM.Server\2.0.3111.36976__90ba9c70f846762e\AEM.Server.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Component.Client.Shared.Private\2.0.3092.25954__90ba9c70f846762e\CLI.Component.Client.Shared.Private.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\ATICCCom\2.0.0.0__90ba9c70f846762e\ATICCCom.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CCC.Implementation\2.0.3111.37169__90ba9c70f846762e\CCC.Implementation.dll ()
MOD - C:\WINDOWS\assembly\GAC_MSIL\CLI.Caste.Graphics.Runtime.Shared.Private\2.0.3092.25995__90ba9c70f846762e\CLI.Caste.Graphics.Runtime.Shared.Private.dll ()
MOD - C:\Archivos de programa\WinRAR\RarExt.dll ()
MOD - C:\WINDOWS\system32\Primomonnt.dll ()
MOD - C:\Archivos de programa\Xerox One Touch\OneTouchRes.dll ()
 
 
========== Services (SafeList) ==========
 
SRV - (SDWSCService) -- C:\Archivos de programa\Spybot File not found
SRV - (SDUpdateService) -- C:\Archivos de programa\Spybot File not found
SRV - (SDScannerService) -- C:\Archivos de programa\Spybot File not found
SRV - (SkypeUpdate) -- C:\Archivos de programa\Skype\Updater\Updater.exe (Skype Technologies)
SRV - (odserv) -- C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE12\ODSERV.EXE (Microsoft Corporation)
SRV - (ose) -- C:\Archivos de programa\Archivos comunes\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (IDriverT) -- C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
 
 
========== Driver Services (SafeList) ==========
 
DRV - (WDICA) --  File not found
DRV - (PDRFRAME) --  File not found
DRV - (PDRELI) --  File not found
DRV - (PDFRAME) --  File not found
DRV - (PDCOMP) --  File not found
DRV - (PCIDump) --  File not found
DRV - (lbrtfdc) --  File not found
DRV - (i2omgmt) --  File not found
DRV - (Changer) --  File not found
DRV - (catchme) -- C:\DOCUME~1\Leonardo\CONFIG~1\Temp\catchme.sys File not found
DRV - (TrueSight) -- C:\WINDOWS\system32\drivers\TrueSight.sys ()
DRV - (TrojanKillerDriver) -- C:\WINDOWS\system32\drivers\gtkdrv.sys (Windows ® Win 7 DDK provider)
DRV - (ggsemc) -- C:\WINDOWS\system32\drivers\ggsemc.sys (Sony Ericsson Mobile Communications)
DRV - (ggflt) -- C:\WINDOWS\system32\drivers\ggflt.sys (Sony Ericsson Mobile Communications)
DRV - (epmntdrv) -- C:\WINDOWS\system32\epmntdrv.sys ()
DRV - (EuGdiDrv) -- C:\WINDOWS\system32\EuGdiDrv.sys ()
DRV - (mcdbus) -- C:\WINDOWS\system32\drivers\mcdbus.sys (MagicISO, Inc.)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (AtiHdmiService) -- C:\WINDOWS\system32\drivers\AtiHdmi.sys (ATI Research Inc.)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (speedfan) -- C:\WINDOWS\system32\speedfan.sys (Windows ® 2000 DDK provider)
DRV - (LVUSBSta) -- C:\WINDOWS\system32\drivers\LVUSBSta.sys (Logitech Inc.)
DRV - (CamDrL) -- C:\WINDOWS\system32\drivers\Camdrl.sys (Logitech Inc.)
DRV - (giveio) -- C:\WINDOWS\system32\giveio.sys ()
 
 
========== Standard Registry (SafeList) ==========
 
 
========== Internet Explorer ==========
 
IE - HKLM\..\SearchScopes,DefaultScope = 
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
 
 
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
 
IE - HKU\S-1-5-19\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-20\..\SearchScopes,DefaultScope = 
 
IE - HKU\S-1-5-21-789336058-1637723038-1644491937-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-789336058-1637723038-1644491937-1003\..\SearchScopes,DefaultScope = {1BC0E3DF-2172-4CB6-9D1C-54B5D6BEEE39}
IE - HKU\S-1-5-21-789336058-1637723038-1644491937-1003\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-789336058-1637723038-1644491937-1003\..\SearchScopes\{1BC0E3DF-2172-4CB6-9D1C-54B5D6BEEE39}: "URL" = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
IE - HKU\S-1-5-21-789336058-1637723038-1644491937-1003\..\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}: "URL" = http://search.alot.com/web?q={searchTerms}&pr=prov&client_id=FD14FCA001CAE9F900CF089C&install_time=2010-05-02T13:18:52Z&src_id=11404&camp_id=162&tb_version=2.5.10000.504
IE - HKU\S-1-5-21-789336058-1637723038-1644491937-1003\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKU\S-1-5-21-789336058-1637723038-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-789336058-1637723038-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local
 
========== FireFox ==========
 
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.3.1
FF - prefs.js..extensions.enabledItems: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}:0.9.7.2
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {AB2CE124-6272-4b12-94A9-7303C7397BD1}:4.2.0.5198
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}:6.0.26
FF - user.js - File not found
 
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Archivos de programa\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Archivos de programa\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Archivos de programa\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
 
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Components: C:\Archivos de programa\Mozilla Firefox\components [2013/01/19 17:22:58 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.23\extensions\\Plugins: C:\Archivos de programa\Mozilla Firefox\plugins [2013/01/19 17:22:58 | 000,000,000 | ---D | M]
 
[2009/01/27 18:29:21 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Leonardo\Datos de programa\Mozilla\Extensions
[2013/01/19 15:50:32 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Leonardo\Datos de programa\Mozilla\Firefox\Profiles\zrwf3rwd.default\extensions
[2010/05/18 20:06:17 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Leonardo\Datos de programa\Mozilla\Firefox\Profiles\zrwf3rwd.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/11/29 00:16:38 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Leonardo\Datos de programa\Mozilla\Firefox\Profiles\zrwf3rwd.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/11/29 00:16:38 | 000,000,000 | ---D | M] (Download Statusbar) -- C:\Documents and Settings\Leonardo\Datos de programa\Mozilla\Firefox\Profiles\zrwf3rwd.default\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
[2013/01/19 15:50:32 | 000,000,000 | ---D | M] (No name found) -- C:\Archivos de programa\Mozilla Firefox\extensions
[2010/10/08 09:34:15 | 000,000,000 | ---D | M] (Skype extension for Firefox) -- C:\Archivos de programa\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2010/05/18 18:40:39 | 000,000,000 | ---D | M] (Java Console) -- C:\Archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/12/21 17:34:09 | 000,000,000 | ---D | M] (Java Console) -- C:\Archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/14 19:24:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/08/20 10:37:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Archivos de programa\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2010/05/18 18:40:22 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\ARCHIVOS DE PROGRAMA\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/05/04 03:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Archivos de programa\mozilla firefox\plugins\npdeployJava1.dll
[2011/12/14 12:23:46 | 000,001,538 | ---- | M] () -- C:\Archivos de programa\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/12/14 12:23:46 | 000,000,947 | ---- | M] () -- C:\Archivos de programa\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/12/14 12:23:46 | 000,000,769 | ---- | M] () -- C:\Archivos de programa\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/12/14 12:23:46 | 000,001,135 | ---- | M] () -- C:\Archivos de programa\mozilla firefox\searchplugins\yahoo-en-GB.xml
 
========== Chrome  ==========
 
CHR - homepage: http://www.google.co.uk/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
CHR - default_search_provider: suggest_url = 
CHR - homepage: http://www.google.co.uk/
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Leonardo\Configuraci\u00F3n local\Datos de programa\Google\Chrome\Application\24.0.1312.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Leonardo\Configuraci\u00F3n local\Datos de programa\Google\Chrome\Application\24.0.1312.57\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Leonardo\Configuraci\u00F3n local\Datos de programa\Google\Chrome\Application\24.0.1312.57\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Leonardo\Configuraci\u00F3n local\Datos de programa\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Archivos de programa\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Archivos de programa\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Archivos de programa\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: Windows Genuine Advantage (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\npLegitCheckPlugin.dll
CHR - plugin: 2007 Microsoft Office system (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\NPOFF12.DLL
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Archivos de programa\Microsoft\Office Live\npOLW.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit)  (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\nprpjplug.dll
CHR - plugin: RealPlayer™ HTML5VideoShim Plug-In (32-bit)  (Enabled) = C:\Documents and Settings\All Users\Datos de programa\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Archivos de programa\Mozilla Firefox\plugins\nprjplug.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Archivos de programa\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Archivos de programa\Windows Media Player\npwmsdrm.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Archivos de programa\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Leonardo\Configuraci\u00F3n local\Datos de programa\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - Extension: YouTube = C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
CHR - Extension: Google Search = C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
CHR - Extension: Gmail = C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\
 
O1 HOSTS File: ([2013/02/26 22:20:13 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1       localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Archivos de programa\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O4 - HKLM..\Run: [Adobe ARM] C:\Archivos de programa\Archivos comunes\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Eraser] C:\Archivos de programa\Eraser\Eraser.exe (The Eraser Project)
O4 - HKLM..\Run: [LogitechVideoRepair] C:\Archivos de programa\Logitech\Video\ISStart.exe (Logitech Inc.)
O4 - HKLM..\Run: [LogitechVideoTray] C:\Archivos de programa\Logitech\Video\LogiTray.exe (Logitech Inc.)
O4 - HKLM..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [OneTouch Monitor] C:\Archivos de programa\Xerox One Touch\OneTouchMon.exe (Visioneer Inc)
O4 - HKLM..\Run: [SDTray] C:\Archivos de programa\Spybot - Search & Destroy 2\SDTray.exe (Safer-Networking Ltd.)
O4 - HKLM..\Run: [StartCCC] C:\Archivos de programa\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-789336058-1637723038-1644491937-1003..\Run: [LogitechSoftwareUpdate] C:\Archivos de programa\Logitech\Video\ManifestEngine.exe (Logitech Inc.)
O4 - Startup: C:\Documents and Settings\Leonardo\Menú Inicio\Programas\Inicio\MagicDisc.lnk = C:\Archivos de programa\MagicDisc\MagicDisc.exe (MagicISO, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-789336058-1637723038-1644491937-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-789336058-1637723038-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-789336058-1637723038-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-789336058-1637723038-1644491937-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Archivos de programa\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Archivos de programa\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233083407109 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233083483796 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab (PhotoPickConvert Class)
O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab (BatchDownloader Class)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{57857710-DD11-4161-858A-15A8D60215DF}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Archivos de programa\Archivos comunes\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Archivos de programa\Archivos comunes\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Archivos de programa\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\WgaLogon: DllName - (WgaLogon.dll) - C:\WINDOWS\System32\WgaLogon.dll ()
O24 - Desktop Components:0 (Mi página de inicio actual) - About:Home
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Felicidad.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Felicidad.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/01/27 17:49:27 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
 
========== Files/Folders - Created Within 30 Days ==========
 
[2013/02/28 22:38:57 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Leonardo\Escritorio\OTL.exe
[2013/02/28 00:04:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Skype
[2013/02/28 00:04:45 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Archivos comunes\Skype
[2013/02/26 22:17:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Malwarebytes' Anti-Malware
[2013/02/26 22:11:22 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2013/02/26 22:07:22 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2013/02/26 22:07:22 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2013/02/26 22:07:22 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2013/02/26 22:07:22 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2013/02/26 22:07:12 | 000,000,000 | ---D | C] -- C:\Qoobox
[2013/02/26 22:06:54 | 000,000,000 | ---D | C] -- C:\WINDOWS\erdnt
[2013/02/26 22:04:54 | 005,036,023 | R--- | C] (Swearware) -- C:\Documents and Settings\Leonardo\Escritorio\ComboFix.exe
[2013/02/24 12:16:28 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2013/02/23 00:25:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Leonardo\Escritorio\RK_Quarantine
[2013/02/22 21:38:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Datos de programa\Spybot - Search & Destroy
[2013/02/22 21:38:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Spybot - Search & Destroy 2
[2013/02/22 21:37:49 | 000,015,224 | ---- | C] (Safer Networking Limited) -- C:\WINDOWS\System32\sdnclean.exe
[2013/02/22 21:37:41 | 000,000,000 | ---D | C] -- C:\Archivos de programa\Spybot - Search & Destroy 2
[2013/02/22 21:09:39 | 000,000,000 | ---D | C] -- C:\Archivos de programa\ESET
[2013/02/22 20:04:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menú Inicio\Programas\GridinSoft Trojan Killer
[2013/02/22 20:04:51 | 000,000,000 | ---D | C] -- C:\Archivos de programa\GridinSoft Trojan Killer
[2013/02/22 19:52:32 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2013/02/22 19:22:25 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Leonardo\Recent
[2013/02/22 12:55:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Leonardo\Menú Inicio\Programas\System Repair
[2010/06/13 23:31:37 | 000,463,152 | ---- | C] (Microsoft Corporation) -- C:\Archivos de programa\setup.exe
[13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\Fonts\*.tmp files -> C:\WINDOWS\Fonts\*.tmp -> ]
 
========== Files - Modified Within 30 Days ==========
 
[2013/02/28 22:39:06 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Leonardo\Escritorio\OTL.exe
[2013/02/28 22:32:03 | 000,000,442 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{3B662D6E-2163-4EB8-9F83-12FCC1DF4732}.job
[2013/02/28 22:13:53 | 000,000,634 | ---- | M] () -- C:\WINDOWS\tasks\Check for updates (Spybot - Search & Destroy).job
[2013/02/28 22:02:09 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/02/28 22:02:06 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/02/28 22:02:00 | 000,267,008 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2013/02/28 00:19:23 | 000,517,456 | ---- | M] () -- C:\WINDOWS\System32\perfh00A.dat
[2013/02/28 00:19:23 | 000,452,488 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/02/28 00:19:23 | 000,097,070 | ---- | M] () -- C:\WINDOWS\System32\perfc00A.dat
[2013/02/28 00:19:23 | 000,076,108 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/02/28 00:16:02 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2013/02/28 00:04:46 | 000,001,892 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Skype.lnk
[2013/02/27 21:34:18 | 000,002,019 | ---- | M] () -- C:\Documents and Settings\Leonardo\Escritorio\System Repair.lnk
[2013/02/26 22:20:13 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2013/02/26 22:11:28 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2013/02/26 21:49:24 | 005,036,023 | R--- | M] (Swearware) -- C:\Documents and Settings\Leonardo\Escritorio\ComboFix.exe
[2013/02/25 22:54:36 | 000,015,616 | ---- | M] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2013/02/25 22:33:36 | 000,816,640 | ---- | M] () -- C:\Documents and Settings\Leonardo\Escritorio\RogueKiller.exe
[2013/02/25 22:32:46 | 000,594,019 | ---- | M] () -- C:\Documents and Settings\Leonardo\Escritorio\adwcleaner.exe
[2013/02/25 22:31:52 | 000,881,935 | ---- | M] () -- C:\Documents and Settings\Leonardo\Escritorio\SecurityCheck.exe
[2013/02/22 23:18:08 | 000,000,630 | ---- | M] () -- C:\WINDOWS\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2013/02/22 23:18:08 | 000,000,460 | ---- | M] () -- C:\WINDOWS\tasks\Scan the system (Spybot - Search & Destroy).job
[2013/02/22 21:38:00 | 000,001,899 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Spybot-S&D Start Center.lnk
[2013/02/22 20:04:59 | 000,000,863 | ---- | M] () -- C:\Documents and Settings\All Users\Escritorio\Trojan Killer.lnk
[2013/02/21 20:05:07 | 000,000,168 | ---- | M] () -- C:\Documents and Settings\All Users\Datos de programa\-ODJvPpaotTbr
[2013/02/21 20:05:07 | 000,000,152 | ---- | M] () -- C:\Documents and Settings\All Users\Datos de programa\-ODJvPpaotTb
[2013/02/18 23:26:52 | 000,896,865 | ---- | M] () -- C:\Documents and Settings\Leonardo\Escritorio\Morocco.pdf
[2013/02/18 23:26:52 | 000,006,465 | ---- | M] () -- C:\Documents and Settings\Leonardo\Datos de programa\PrimoPDFSet.xml
[2013/02/18 23:17:08 | 000,953,591 | ---- | M] () -- C:\Documents and Settings\Leonardo\Escritorio\Passport Identity.pdf
[2013/02/18 23:15:10 | 015,579,095 | ---- | M] () -- C:\Documents and Settings\Leonardo\Escritorio\OneTouch V2.pdf
[2013/02/11 22:36:03 | 000,701,994 | ---- | M] () -- C:\Documents and Settings\Leonardo\Escritorio\GSA Award Letter.pdf
[2013/02/05 21:42:23 | 000,002,363 | ---- | M] () -- C:\Documents and Settings\Leonardo\Escritorio\Google Chrome.lnk
[13 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
 
========== Files Created - No Company Name ==========
 
[2013/02/26 22:17:08 | 000,002,067 | ---- | C] () -- C:\Documents and Settings\All Users\Menú Inicio\Programas\MSN.lnk
[2013/02/26 22:17:08 | 000,001,577 | ---- | C] () -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Eraser.lnk
[2013/02/26 22:17:08 | 000,000,835 | ---- | C] () -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Windows Movie Maker.lnk
[2013/02/26 22:17:08 | 000,000,655 | ---- | C] () -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Windows Messenger.lnk
[2013/02/26 22:17:07 | 000,002,347 | ---- | C] () -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Adobe Reader 9.lnk
[2013/02/26 22:17:07 | 000,001,830 | ---- | C] () -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Apple Software Update.lnk
[2013/02/26 22:17:07 | 000,000,775 | ---- | C] () -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Acrobat.com.lnk
[2013/02/26 22:11:28 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2013/02/26 22:11:25 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2013/02/26 22:07:22 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2013/02/26 22:07:22 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2013/02/26 22:07:22 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2013/02/26 22:07:22 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2013/02/26 22:07:22 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2013/02/25 22:54:36 | 000,015,616 | ---- | C] () -- C:\WINDOWS\System32\drivers\TrueSight.sys
[2013/02/25 22:52:51 | 000,816,640 | ---- | C] () -- C:\Documents and Settings\Leonardo\Escritorio\RogueKiller.exe
[2013/02/25 22:46:05 | 000,594,019 | ---- | C] () -- C:\Documents and Settings\Leonardo\Escritorio\adwcleaner.exe
[2013/02/25 22:43:32 | 000,881,935 | ---- | C] () -- C:\Documents and Settings\Leonardo\Escritorio\SecurityCheck.exe
[2013/02/22 21:38:08 | 000,000,634 | ---- | C] () -- C:\WINDOWS\tasks\Check for updates (Spybot - Search & Destroy).job
[2013/02/22 21:38:08 | 000,000,630 | ---- | C] () -- C:\WINDOWS\tasks\Refresh immunization (Spybot - Search & Destroy).job
[2013/02/22 21:38:08 | 000,000,460 | ---- | C] () -- C:\WINDOWS\tasks\Scan the system (Spybot - Search & Destroy).job
[2013/02/22 21:38:00 | 000,001,905 | ---- | C] () -- C:\Documents and Settings\All Users\Menú Inicio\Programas\Spybot-S&D Start Center.lnk
[2013/02/22 21:38:00 | 000,001,899 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Spybot-S&D Start Center.lnk
[2013/02/22 20:04:59 | 000,000,863 | ---- | C] () -- C:\Documents and Settings\All Users\Escritorio\Trojan Killer.lnk
[2013/02/22 12:55:10 | 000,002,019 | ---- | C] () -- C:\Documents and Settings\Leonardo\Escritorio\System Repair.lnk
[2013/02/21 20:05:07 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Datos de programa\-ODJvPpaotTbr
[2013/02/21 20:05:07 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Datos de programa\-ODJvPpaotTb
[2013/02/18 23:26:51 | 000,896,865 | ---- | C] () -- C:\Documents and Settings\Leonardo\Escritorio\Morocco.pdf
[2013/02/18 23:17:07 | 000,953,591 | ---- | C] () -- C:\Documents and Settings\Leonardo\Escritorio\Passport Identity.pdf
[2013/02/18 23:14:09 | 015,579,095 | ---- | C] () -- C:\Documents and Settings\Leonardo\Escritorio\OneTouch V2.pdf
[2013/02/11 22:02:17 | 000,701,994 | ---- | C] () -- C:\Documents and Settings\Leonardo\Escritorio\GSA Award Letter.pdf
[2012/06/05 20:29:36 | 000,032,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\48230029.sys
[2012/02/15 11:31:59 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/17 11:53:38 | 000,000,452 | RHS- | C] () -- C:\Documents and Settings\Leonardo\ntuser.pol
[2011/08/12 20:56:18 | 000,000,000 | ---- | C] () -- C:\WINDOWS\iPlayer.INI
[2011/03/28 21:24:51 | 000,060,483 | ---- | C] () -- C:\Documents and Settings\Leonardo\CouncilTaxApril.pdf
[2010/06/13 23:31:37 | 000,002,480 | ---- | C] () -- C:\Archivos de programa\README.HTM
[2010/06/13 23:31:37 | 000,000,175 | ---- | C] () -- C:\Archivos de programa\autorun.inf
[2010/03/26 21:26:27 | 000,009,666 | -HS- | C] () -- C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\YGvcpA571Wx
[2010/03/26 21:26:27 | 000,009,666 | -HS- | C] () -- C:\Documents and Settings\All Users\Datos de programa\YGvcpA571Wx
[2010/01/01 03:03:12 | 000,022,135 | ---- | C] () -- C:\Documents and Settings\Leonardo\Menú Inicio.rar
[2009/03/26 02:25:51 | 000,006,465 | ---- | C] () -- C:\Documents and Settings\Leonardo\Datos de programa\PrimoPDFSet.xml
[2009/02/17 21:04:39 | 000,115,200 | ---- | C] () -- C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/01/27 20:34:47 | 000,000,137 | ---- | C] () -- C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\fusioncache.dat
[2009/01/27 19:47:10 | 000,022,040 | ---- | C] () -- C:\Documents and Settings\Leonardo\Datos de programa\svm32.dat
 
========== ZeroAccess Check ==========
 
[2009/01/27 18:06:41 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
 
[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/14 05:48:38 | 001,499,648 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 10:52:53 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free
 
[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/14 05:48:48 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both
 
< End of report >
 


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:06 PM

Posted 28 February 2013 - 06:39 PM


Hello l30nard0

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script
  • Double-click OTL.exe to start the program.
  • Copy and Paste the following code into the customFix.png text box.
    :OTL
    FF - user.js - File not found
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    [2013/02/22 12:55:10 | 000,002,019 | ---- | C] () -- C:\Documents and Settings\Leonardo\Escritorio\System Repair.lnk
    [2013/02/21 20:05:07 | 000,000,168 | ---- | C] () -- C:\Documents and Settings\All Users\Datos de programa\-ODJvPpaotTbr
    [2013/02/21 20:05:07 | 000,000,152 | ---- | C] () -- C:\Documents and Settings\All Users\Datos de programa\-ODJvPpaotTb
    [2010/03/26 21:26:27 | 000,009,666 | -HS- | C] () -- C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\YGvcpA571Wx
    [2010/03/26 21:26:27 | 000,009,666 | -HS- | C] () -- C:\Documents and Settings\All Users\Datos de programa\YGvcpA571Wx
    :Files
    ipconfig /flushdns /c
    
    :Commands
    [PURITY]
    [emptyjava]
    [EMPTYFLASH]
    [reboot]
    
  • Then click the Run Fix button at the top.
  • Click btnOK.png.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

    Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

    It will be named - mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.


  • Let me know How things are doing

    Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:06 PM

Posted 03 March 2013 - 07:29 AM


Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 l30nard0

l30nard0
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 03 March 2013 - 06:39 PM

Hello Gringo

 

(Thanks for you patience and sorry I couldn't get back to you sooner). I carried out the instructions as you suggested and yes the machine did ask me for a reboot. Afterwards the log didn't pop up but I was able to find it in C:\_OTL\MovedFiles. There were also other subfolders here C:\_OTL\MovedFiles\03032013_224746\C_Documents and Settings this contained two subfolders "All Users" (which led to 3 very strange files) and "Leonardo" (which also led to one very strange file)

 

Attached File  subfolders1.JPG   23.04KB   2 downloads

 

I have noticed a new icon on my desktop " Thumbs.db" which I am sure I have seen before (I do not believe this is dangerous but thought I would mention it).

 

I haven't really used the computer much this weekend but I again had to do some light browsing and the computer appeared "normal". However the "system repair" taskbar icon is still there. The desktop Item has however disappeared. I can still see instances of Trojan Killer in the desktop, the start menu and under all programs.

 

Thanks for your continuing help. I am ready to follow your instructions.

 

l30nard0

 

 

========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Starting removal of ActiveX control {8FFBE65D-2C9C-4669-84BD-5829DC0B603C}
C:\WINDOWS\Downloaded Program Files\erma.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\Documents and Settings\Leonardo\Escritorio\System Repair.lnk moved successfully.
C:\Documents and Settings\All Users\Datos de programa\-ODJvPpaotTbr moved successfully.
C:\Documents and Settings\All Users\Datos de programa\-ODJvPpaotTb moved successfully.
C:\Documents and Settings\Leonardo\Configuración local\Datos de programa\YGvcpA571Wx moved successfully.
C:\Documents and Settings\All Users\Datos de programa\YGvcpA571Wx moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Configuración IP de Windows
Se vació con éxito la caché de resolución de DNS.
C:\Documents and Settings\Leonardo\Escritorio\cmd.bat deleted successfully.
C:\Documents and Settings\Leonardo\Escritorio\cmd.txt deleted successfully.
========== COMMANDS ==========
 
[EMPTYJAVA]
 
User: Administrador
 
User: All Users
 
User: Default User
 
User: Leonardo
->Java cache emptied: 0 bytes
 
User: LocalService
 
User: NetworkService
 
Total Java Files Cleaned = 0.00 mb
 
 
[EMPTYFLASH]
 
User: Administrador
->Flash cache emptied: 42314 bytes
 
User: All Users
 
User: Default User
->Flash cache emptied: 41620 bytes
 
User: Leonardo
->Flash cache emptied: 114712 bytes
 
User: LocalService
 
User: NetworkService
 
Total Flash Files Cleaned = 0.00 mb
 
 
OTL by OldTimer - Version 3.2.69.0 log created on 03032013_224746

 

 



#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:06 PM

Posted 03 March 2013 - 11:25 PM

Hello


However the "system repair" taskbar icon is still there. The desktop Item has however disappeared. I can still see instances of Trojan Killer in the desktop, the start menu and under all programs. - in the locations that you see this can you delete them - I do not see them in the reports


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 l30nard0

l30nard0
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:06 PM

Posted 04 March 2013 - 03:52 PM

Hi Gringo

 

I have now removed and deleted those shortcuts. Is there anything else that I should do?

 

l30nard0



#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:06 PM

Posted 05 March 2013 - 12:54 AM


Hello l30nard0

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:
 ClearJavaCache:: 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
      • let me know of any problems you may have had
        • How is the computer doing now after running the script?
      Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users